Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
otrs otrs